Fix Code Via GitHub Actions By Verified Commits

This post introduces a GitHub Action to fix code by verified commits.

https://github.com/suzuki-shunsuke/commit-action

It's useful to fix pull requests via GitHub Actions.
Or it's also useful to fix code on a base branch after merging pull requests.
For instance, you can format code, and generate document from source codes automatically.

To achieve this, you need to create and push commits in CI.
commit-action is an action for this.

Why Use commit-action?

Unlike similar actions, commit-action creates and pushes commits by GitHub API instead of Git commands.
So you can create verified commits using GitHub Actions token ${{github.token}} or a GitHub App installation access token.

Commit signing is so important for security.

https://docs.github.com/en/authentication/managing-commit-signature-verification

To create verified commits using Git, a GPG key or SSH key is required.
It's bothersome to manage GPG keys and SSH keys properly for automation, so it's awesome that commit-action can create verified commits without them.

How To Use

commit-action is so easy to use.
All inputs are optional.

You only need to run commit-action after fixing code in workflows.
Then it creates and pushes a commit to a remote branch.

name: Example
on:
  pull_request: {}
jobs:
  example:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      # Fix files
      # ...

      - name: Push changes to the remote branch
        uses: suzuki-shunsuke/commit-action@db754eb4adb44fb5aee5879a3bd08785efec198e # v0.0.4

commit-action fails if it pushes a commit.
If no change is pushed, commit-action does nothing and exits successfully.

By default, commit-action pushes a commit to ${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}} in $GITHUB_REPOSITORY, but you can change them.
${{github.token}} is used by default, but we don't recommend it because ${{github.token}} doesn't trigger a new workflow run.
We recommend GitHub App installation access tokens.
You can create a GitHub App installation access token and pass it to commit-action yourself, but you can also pass a pair of GitHub App ID and private key.
Then commit-action creates a GitHub App installation access token with minimum repositories and permissions.

- uses: suzuki-shunsuke/commit-action@db754eb4adb44fb5aee5879a3bd08785efec198e # v0.0.4
  with:
    app_id: ${{secrets.APP_ID}}
    app_private_key: ${{secrets.APP_PRIVATE_KEY}}

commit-action commits all created, updated, and deleted files by default, but you can also commit only specific files.
And you can also change the commit message.

- uses: suzuki-shunsuke/commit-action@db754eb4adb44fb5aee5879a3bd08785efec198e # v0.0.4
  with:
    commit_message: "style: format code"
    files: |
      README.md
      package-lock.json

Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more